Backdoored Phishing Kits are still popular

What did you do for the holidays?  If you're a cybercrime geek you probably took advantage of some of the extra time on your hands to investigate some new phishing sites, right?

Jone Fredrick is the type of Facebook user who is quite open about his criminal activity.  He boasts about his phishing skills by having a Facebook profile picture of someone taking a selfie showing their government issued ID and their credit card!  He claims to live in Blida, Algeria, and probably does.  Over the holidays Jone update his YouTube channel, "mr azert" with a new Chase Bank phishing kit.  (Phishers don't call this phishing.  They call it "bank scams" or "scam pages."

In the past two weeks, Jone, who uses the alias "Mr Azert", has uploaded several videos about his new scam pages to his YouTube channel.  Chase, Spotify, Dropbox, Alibaba, and Paypal all have new scam pages courtesy of Mr Azert.  How generous that he just gives them away for free!

After listening to so much bad gangster/scammer rap music, it was nice to hear some Algerian rap while I did my investigation.  Mr Azert confirms this is him by replying to "Tutor Arena421" giving him his email address (foley.victoria998@gmail.com) and Facebook address ( jone.fredrick.79).

Of course, we report the offending content to YouTube.  If you ever encounter the same, please use the "Report" function.  The correct flow is to click the "Three Dots" ... then "Report".  Then choose  "Spam or misleading" and then the subcategory "Scams / fraud"

In this case, the reason Mr Azert is giving away these phishing kits is that he has backdoored all of the kits.  We'll look at the Chase one first.   There are five separate PHP files that send the various stolen information back to the person using the kit.  

When we look at the actual "Send" command, we notice that the email command says "for each $send" ... but the instructions for the kit have told the kit downloader that they should include their own email address in a certain place, which is "import"ed into this code.  What other address is being used here?

If we scroll up about we see that $send is receiving a variable called "token" from the form post that called this PHP code, and then converting it into ASCII with "hex2bin".

The calling code in this case is "myaccount.php" which seems to do some "input validation" but in reality, is also loading the "token" value:

That hex string at the bottom starting with "6665" is decoded in the "hex2bin" call into a pair of email addresses:  

  fenction@gmail.com  and fenction@yahoo.com

So, anyone who downloads Mr Azert's kit is going to either create or hack a website, upload and unpack the kit, spam out links to that URL, and then have all of their stolen data go back to Mr Azert in Algeria, who is likely to be better at cashing out the information than someone too lame to make their own phishing kit.

We're of course reporting all of this to YouTube, Gmail, Yahoo, and Facebook ... 

So how did you spend YOUR holiday?  

Happy New Year everyone!

TrickBot: New Injects, New Host

What’s in the Name: Call it IcedID or TrickBot? Tell that to a security researcher (Arsh Arora in this case) and watch them RANT

(Gar-note: today's blog post is a guest blog from malware analyst, Arsh Arora...) 

Today’s post starts with an interesting link from Dawid Golak's Medium post: “IcedID aka# Bokbot Analysis with Ghidra” which mentions that IcedID is dropping TrickBot. Although the article is about IcedID, it gets confusing quickly, because the researcher focused on finding artifacts for IcedID instead finds TrickBot artifacts. A big question for the security industry still remain is to how to classify the malware from the originator or the binary that is being dropped. We followed up on the sample he mentioned and saw the same thing.  This is definitely Trickbot.

First Stage – Sample Collection from Virus Total Intelligence

In the "AnyRun Analysis" linked to by Dawid, the TrickBot binary was downloaded from “54.36.218[.]96 (slash) tin[.]exe

Virus total link (50/ 71 detections) https://www.virustotal.com/intelligence/search/?query=84878B4967A4243CD904794F3B8B2812

Fig 1: TrickBot Sample

Second Stage – Sample Execution

After the execution in a virtual environment, I was able to see TrickBot behavior similar to what we have documented in the past in our post "Trickbot's New Magic Trick: Sending Spam":

A large number of config files and dlls were loaded into the Roaming/netcache/Data, a  unique behavior of the TrickBot binary.

Fig 2: Configs and Dlls Loaded

Third Stage – Open Firefox and visit different Bank website

It is often the case that to get any banking trojan to co-operate with the researcher, some initiation from the researcher side is needed. Due to past experience, I have learned that one needs to open up a browser and visit different bank websites to activate the banking trojan. The trojan resists until instigated by visits to these pages. I visited close to 20 different bank websites and was able to obtain injects from 7 of those bank websites. The injects and admin login panels of the websites are as follows.

Name of  Bank	Admin Login Panel	IP	Location
Bank of America	https://aefaldnessliverhearted[.]com/load/	185.242.6.245	AS9009, Prague
Chase	https://aefaldnessliverhearted[.]com/load/	185.242.6.245	AS9009, Prague
Citi	https://remirollerros[.]com/legr/	109.234.37.246	AS48282, RU
Usaa	https://onlylocaltrade[.]com/lob.php	185.87.187.198	AS48635,NL
WellsFargo	https://wellsfargostrade.com/2wells2	185.36.189.143	AS50673, NL
PNC	https://wellsfargostrade[.]com/pncadmin/index.php	185.36.189.143	AS50673, NL
53 Bank	https://wellsfargostrade[.]com/53repadmin2	185.36.189.143	AS50673, NL

When infected, viewing the source code while visiting one of the banks is all that is needed to identify the data exfiltration destination.  Some examples follow from this infection run:

BankofAmerica

Fig 3: BoA Web Inject

Chase

Fig 4: Chase Web Inject

Fig 5: BoA and Chase Admin Panel

Citi

Fig 6: Citi Web Inject

Fig 7: Citi Login Panel

USAA

Fig 8: USAA Web Inject

WellsFargo

Fig 9: WellsFargo Web Inject

Fig 10: WellsFargo Admin Panel

PNC

Fig 11: PNC Web Inject

Fig 12: PNC Admin Panel

53 Bank

Fig 13: 53 Bank Web Inject

Fig 14: 53 Bank Admin Panel

For more details please contact Arsh Arora (ararora at uab.edu) or Gary Warner (gar at uab.edu) at UAB. Please note:  Arsh is defending his PhD this summer and looking for new opportunities.

IcedID - New Banking Trojan targets US-based companies with web injects

The malware research team in the UAB Computer Forensics Research Lab is widening its horizon and is always on the look out for new malware families. While researching new malware families, Arsh Arora, Ph.D. Candidate at UAB, found some chatter about the new banking trojan IcedId.  Although ransomware is the most discussed malware in the press for many financial institutions the most feared malware type is the Banking Trojan. The objective of most banking trojans is to steal banking credentials and eventually steal the money from account holders.

IcedID Banking Trojan 

IBM X-Force discovered a new banking trojan IcedID that was first detected in September 2017. It is known as modified version of the Zeus Trojan. The following trojan spreads by Emotet worm which is able to spread from machine to machine inside a network via weak administrator passwords.

One of our malware research team members, Shawn Sharp,  decided to dig into this malware. IBM had already provided a detailed explanation of the infection part, so we decided to take a different approach and focused on analyzing the web injects on a number of websites.

The sample used to test was:

MD5 - a6531184ea84bb5388d7c76557ff618d59f951c393a797950b2eb3e1d6307013

Virus Total Detection - 49/67. The sad part is that only 1 of the 49 detection named it IcedID, which commonly happens when marketing departments name malware. (The only company to call it IcedID was ALYac, the anti-virus product from ESTSecurity Corp in Seoul, Korea.  ESET, Microsoft, and TrendMicro all call this a sample of Fareit malware.)

When Shawn launched the process, it didn't trigger on its own but a browser had to be launched to activate the banking trojan. 

Fig. 1: Activation of Banking Trojan IcedID

Once the trojan was activated, following financial institution strings were found in the memory of the running sample when checked through Process Hacker.

bbt
jpmorgan
americanexpress
bankofamerica
tdbank
chase
citigroup
discover
ebanking-services
etrade
citi
adp
usaa
wellsfargo

When we visited a few of these websites and provided them fake credentials, the webinject process modifies the user experience by asking the website visitor for extra details. It is noteworthy that these changes to the page happen in browser memory, meaning that the "https:" and "Secure" labels are still present, even though the page has been altered.   

Amazon - 

Fig. 2: Amazon Web-Inject asking for card number

Although we really are at Amazon.com, the malware is causing our browser to ask us for the details of our credit card!

Chase

Fig. 3: Chase Web-Inject asking for additional details

The malware makes Chase's website appear to ask us for not only our Card Number and Expiration Date, but also our CVV and PIN!

Citi

Fig. 4: Citi Web-Inject asking for additional details

Machines infected with IcedID will also ask for these details after a login attempt at Citi.com!

Discover

Fig. 5: Discover Web-Inject asking for additional details

The Discover.com website asks for card details, but also our Date of Birth and the last four digits of our Social Security Number!

Researchers will be diving in deep and try to reverse engineer the binary for additional information. Stay tuned for more updates.  In the meantime, if you hear of a friend complaining that their bank is asking them for too much information -- it may mean that they are infected with malware!